Signing a key indicates explicitly that you believe a combination of a key and a uid (e.g. email address) to be authentic. The graph of all member keys connected by signatures is the OpenSkills Identity Matrix.

If you are a Debian user you can use the signing-party package to help, and in particular the gpg-key2ps and caff commands. Please do read the follwing notes as well.

Here, we focus on the parts of keysigning applicable to OpenSkills. For a more general overview the PGP Keysigning party HOWTO gives a great (and amusing) description of what it means to sign keys, and the process involved.

Key authenticity

Key signing involves more than typing in commands. The commands merely record the result of an assessment: an assessment of the authenticity of a key and your confidence in the identity of another person.

To have someone else sign your key you must meet them in person, demonstrate that you are who you claim to be, and give them information so that they can identify your key (the key to be signed).

Meeting in person is a guard against interception of communications. For this reason it is never acceptable to sign (or expect someone else to sign) a key identified by email, or any other electronic means. The only exception to this is the use of a telephone, but only if a physical meeting is impossible and you know the other person very well indeed.

Use some kind of photo ID to prove you are who you say you are. For example, a driving license or a passport.

Identify the key to be signed using a key fingerprint. An easy way to get this is to print out the key details as displayed on a public key server web interface. Alternatively, use the gpg --fingerprint command. For the Fred Bloggs key we have used in the example, gpg --fingerprint 0637B724 yields something like:

Use a word processor to make up a sheet with lots of copies of the fingerprint, and cut the sheet into slips - each with a single copy of the fingerprint. Give one of these slips to the person you are asking to sign your key,

The preceeding steps are critical to the quality, and therefore value, of the OpenSkills Identity Matrix. If a questionable identity is introduced to the matrix, the entire matrix is devalued. If in doubt, don't sign.

Signing a key

REMEMBER: Only sign keys after you have positively checked the identity of the other party and the key to be signed!

Always sign keys on a trusted computer. Do not install your private key on someone elses machine in order to sign keys. If you are at a key signing party where many people are exchanging key information, wait till you get home before working carefully through the following.

After making absolutely sure that the person asking you to sign a key is who they claim to be, and obtaining from them the identity of the key, signing is fairly straight-forward. When signing a key, it is possible to say how much confidence you have in the authenticity of the key you sign.

First, add the key to your key ring. Merely adding a key to your key ring says nothing about the authenticity of a key.

For the purposes of OpenSkills, we require that the key associated with membership be in a public key repository. Check that the key is on the key server through the web interface. If the key is not there, get the person asking you to sign the key to put it on the key server. You can get a known key from a key server using the ID of the key (0637B724 in the case if the Fred Bloggs key) with the command:

gpg --keyservery subkeys.pgp.net --recv-keys 0637B724.

or if Fred's email address is fred@bloggs.com:

gpg --keyservery subkeys.pgp.net --search fred@bloggs.com.

Now the key is on your key ring, so you can check the fingerprint against the information given to you by the person asking you to sign the key. Use the --fingerprint gpg command to look at the fingerprint, as in the example above.

Once you are quite sure that you have the correct key:

Remember that you can abort the signing process by typing [ctl]+c

Start the signing using --sign-key. For example, using the Fred Bloggs key ID: gpg --sign-key 0637B724.

The following describes the use of gpg --edit-key, an alternative to using gpg --sign-key. If there is more than one email address associated with the key you are signing, you will be asked if you wish to sign them all. If you know for sure that the person asking you to sign the key owns all the addresses, go ahead and enter "yes". Otherwise, enter "no", then enter the number displayed next to the addresses you recognise (enter one number at a time). Finally, enter "sign".

You will be asked how confident you are that the key is authentic. If you don't feel able to answer with a 3 (I have done very careful checking), ask yourself why you are signing the key in the first place.

Once --sign-key has finished, you have signed the key. The last thing to do is to update the key on the key server with your signature.